An Android app sitting on the Google Play store touts itself to be a photo editor app. But, it contains code that steals the user’s Facebook credentials to potentially run ad campaigns on the user’s behalf, with their payment information.
The app is called “Blender Photo Editor-Easy Photo Background Editor” and has been installed over 5,000 times to date.
Last week, similar malicious apps with over 500,000 installs were also found on the Play Store.
“Log in” with Facebook does more than just login
Like many Android apps, the “Blender Photo Editor-Easy Photo Background Editor” app comes with the sign-in with Facebook functionality. Except, it also makes use of your Facebook credentials to do some fishy stuff.
The app contains malicious code, identical to what was found in similar “photo editor” apps last week by Maxime Ingrao, a security researcher at mobile payments cybersecurity firm Evina.
The apps then make requests to the Facebook Graph API to peek into the user’s Facebook account and look for any ad campaigns and stored payment information.
The malware, according to Ingrao, “is very interested in the advertising campaigns you might have done and if you have a registered credit card.” This would allow the attacker behind these apps to create their own ad campaigns via the user’s Facebook credentials, and linked payment information.
Identical apps installed over 500,000 times
Ingrao had previously discovered similar malicious apps called “Magic Photo Lab – Photo Editor” and “Pix Photo Motion Edit 2021” with the latter scoring over 500,000 installs.
Both apps have since been removed from the Google Play store.
The researcher shared some insights with BleepingComputer as to how he found something wasn’t right with these apps.
“I noticed the suspicious code first by doing a dynamic analysis,” Ingrao tells BleepingComputer in an email interview.
BleepingComputer also analyzed the APK for “Blender Photo Editor-Easy Photo Background Editor,” which is still live on Google Play, and can confirm seeing identical malicious code in the app.
During our analysis, we attempted to roughly reconstruct the Java source code of the Android app from the compiled APK (bytecode).
The suspicious class “sources/com/easyblender/blendphoto/Blends/ext/AnaActivity.java” contains the WebView referenced by Ingrao. Additionally, we noticed partial strings, such as, “m.face” and “m.f” referring to m.facebook.com and m.fb.com domains.
And this is when the aforementioned requests to Facebook’s Graph API are made, to peek into any Facebook ad campaigns present in the user’s account, along with the associated payment information:
Android users should be wary of such “photo editor” apps recently seen on the Google Play store. Those who have already installed any such app should uninstall the app immediately, clean up their smartphone, and reset their Facebook credentials.
BleepingComputer has reported the aforementioned Blender photo editor app to Google Play prior to publishing.